By John Cox
May 20, 2019, © Leeham News: The latest version of the Boeing 737 is the MAX. It has new engines, new flight deck screens and the latest in-flight entertainment systems for passengers. It is quite a change from the 737-100 that first entered service 51 years earlier in 1968.
After flying operationally for 15 months (May 2017 to October 2018), there was a loss of a 737 MAX 8 in Indonesia. Five months later, another MAX 8 crashed. Something was wrong. How could such a proven workhorse have two accidents in such a short time in very similar circumstances?
Investigators swarmed over the wreckage finding the recorders. There were similarities in the accidents and some in the media closed in on simple causes for the loss of 346 lives. It is not simple.
As an accident investigator since 1986, one truth remains with me today. It is never simple. Airplanes today are so safe, have so many redundant systems and operate in such complex airspace that the cause of an accident cannot be simple.
Since both the Lion Air 610 and Ethiopian 302 accidents are under investigation, we have to limit our discussion to information that has been publically released. While awaiting the final reports, the aviation industry must take limited data and take steps to ensure that aviation’s safety record remains intact.
The Lion Air accident is one of the most complex in modern history. Investigators found substantive issues contributing to the accident.
First, let us categorize both accidents: They are Loss of Control–Inflight (LOC-I) accidents. This accident type causes more fatalities than any other. Our industry has improved training in an effort to reduce the number of LOC-I accidents, but they continue to occur too frequently.
We have categorized the accident type but it is not that simple; there are contributing factors.
Looking at the available information, aircraft system design, system certification, maintenance, safety information within the operator, pilot actions and training all appear to have contributed.
The Lion Air crew did not know of a system added to the MAX known as the Maneuvering Characteristics Augmentation System (MCAS). It caused the stabilizer to be trimmed nose down without pilot input once the airplane accelerated and retracted the flaps.
This occurred as the stall warning device known as a stick shaker noisily shook the control column, causing confusion in the flight deck. Both were the result of erroneous data about the angle of attack (the angle between the wing and the air passing over it). The pilots now faced multiple faults from an unknown cause and the situation was getting worse.
As the airplane struggled to climb, the airspeed increased. The airspeed increase caused the stabilizer to be more and more powerful compared to the elevator. The elevator is what moves when the pilot moves the control column while the stabilizer is moved by an electric motor in trim system. As each second ticked by, the airplane accelerated, making it harder to control.
Why did MCAS trim the nose down? The central design goal of the MAX design was to improve fuel efficiency. New engines could do that, but required bigger initial compressor sections, known as a fan. This required the engine to be move forward and raised to keep the necessary ground clearance while taxiing.
One consequence was the reduction in the nose pitching down during lightweight stalls with the airplane loaded as far aft as allowed. The FAA and engineers found it needed help the nose pitch down during these conditions. MCAS was the solution.
MCAS only took in information from one sensor. It did not evaluate if the data was similar to the other sensor on the opposite side of the airplane. Consequently, if the sensor data were erroneous, MCAS would activate even though there was no stall.
Erroneous data would also cause another stall prevention device to violently shake the control column. A system safety analysis should have shown that these two stall prevention systems could be caused by a single failure of Angle of Attack (AoA) data.
If MCAS activated inappropriately, could the pilots stop it? Yes, they could disable the stabilizer trim motor with switches. This makes the assumption that they realize what is happening and follow the procedure for a “Runaway Stabilizer Trim.” But is not that simple.
In the MAX, the stabilizer moves frequently without pilot input due to another system known as the Speed Trim System (STS). STS moves the stabilizer during acceleration or deceleration to maintain the proper feel in the control column.
The pilots of Lion Air 610 faced a challenge: the stabilizer trim was moving as the control column was getting heaver due to the acceleration. Was this a “runaway trim” or STS? Did they realize the trim was moving with the noise of the stick shaker masking it?
On the previous flight with a different crew, similar events occurred, but that crew had and additional set of eyes in the flight deck. A pilot on his way to work, riding in the jumpseat, saw the trim moving as the crew fought for control. He alerted the captain and the trim system was manually disabled. They made a safe landing.
This should have alerted the accident crew of a potential problem.
It is not that simple.
The safety report never reached the accident crew.
Lion Air maintenance had been working on problems for the three days prior to the accident. Instrument warnings were occurring flight after flight. The simple solutions were not fixing the problems. Maybe a sensor was the cause.
With that hypothesis, they changed the sensor, even though it was not definitely the cause of the problems. Even with the new sensor, the problems continued. It was more complicated.
Now, investigators have contributing factors of design, certification, crew action, maintenance trouble-shooting, failure to remove an airplane with recurring problems from service, failure to provide crews with critical information of problems encountered on a previous flight, and the addition of a system that could trim the stabilizer without pilot input without informing the operators.
There is nothing simple about this accident.
Ethiopian Airlines flight 302 faced similar challenges, but there were no maintenance problems and the crew knew about MCAS. It is a bit simpler, but still a very complex accident.
Investigators will finish their reports in upcoming months. Regulators will very carefully review the system improvements to the MAX before it return to the air. Pilots will be trained about the flight control system, including MCAS. Maintenance technicians will review trouble-shooting airplanes with recurring flight control problems.
The 737 MAX will soon return to flying passengers around the world. The tragedies will not be forgotten and the lessons will be remembered.
Our robust aviation safety system must carefully review new designs for latent single point failures that can cause multiple, complex problems. Pilots should be trained about new additional systems added to new models and how malfunctions are to be handled. Additionally, pilots must train to fly manually when automated systems become inoperative and maintain the proper airspeed. Operators must carefully monitor aircraft experiencing recurring technical problems and remove them from service.
We will fly over 4.5bn passengers this year. The two 737 MAX accidents remind us of the importance of ensuring the safety of each passenger. We have built the safest public transportation system in history, and it will continue to improve.
We will do what it takes to ensure it does, but it will not be simple.
John Cox has a 49 year career in aviation with over 25 in commercial aviation, including as an airline pilot, instructor and test pilot. He has type ratings in the Cessna Citation, Fokker F-28, Boeing 737, and Airbus A320 He has been an independent air safety consultant since 2005.
In your career, have you seen a similar UNDECLARED system to MCAS that overrides the pilot in pointing the nose down? I believe this is the point of contention for most people. The denial, of responsibility, blaming the pilots and lack of self awareness from Boeing makes these 2 crashes different. My 2 cents.
I agree with you, “W”.
There is something pretty simple in all this.
Boeing took a plane that was fundamentally safe (NG), and did a crap job adding a system of dubious rationale and zero technical integrity onto the aircraft. Then went out of their way to tell no one about it.
In your career, have you ever experienced a plane being upgraded in such a reckless manner as the NG into the MAX?
Boeing management apparently did not accept the fact that the 737 could not be updated to the new generation of higher bypass, larger engines without significant changes to major systems (landing gear, tail,…), and changed type rating, meaning they would lose the race against time and the NEO. And so they built a plane that should never have taken to the skies.
You state that “it’s not so simple”, while in fact you overlook the very simple fact that the MAX is not an airworthy plane.
Mr. Cox, as author of this article and being a sage of the industry, is quite rightly not about to say something momentus without incontrovertible evidence to support it.
People in such a position are at present in a bit of a bind. They can read the Seattle Times and Wall Street Journal as well as the rest of us, and must surely feel that something somewhere has gone very wrong indeed, needlessly so, and in the interests of money at the cost of engineering integrity. Everyone in the industry knows that this really is a very big deal indeed, so damning Boeing / FAA is not to be done lightly by senior industry figures, without proof.
(Interestingly that’s not stopped some all-Boeing airlines being seen to have chats with Airbus, etc. They might be voting with their feet)
The difficulty such people have is that the proof may never be surfaced. So the bet-your-life question is, without that proof at what point do senior industry figures say enough is enough and actually condemn what’s been going on? If they don’t, more people may die. If they do, they really do risk getting sued to smithereens by Boeing.
So the future of aviation safety is in the hands of the DoT, DoJ and FBI investigations, and possibly other governments and their agencies giving the US government and the FAA a few home truths. Given that this is getting political pretty quickly in DC, I can’t imagine such advice would be warmly welcomed. Politics and safety engineering is an appalling mix.
Fundamentally, having the FAA being run by a political appointee and having funding levels controlled by politicians susceptible to lobbying is the problem. Now, changing that arrangement is likely unavoidable if the FAA’s credibility is to be restored globally.
Boeing took a plane proven to be reliable and in order to “modernize” it with new engines changed the plane’s center of gravity to that trim was required for straight and level flight.
For marketing purposes, namely eliminating the requirement for pilots to receive additional training to be checked out on the plane, they purposely withheld info on the MCAS system.
And the FAA is just as guilty as Boeing in allowing the company to “self-certify” the plane, even though Boeing didn’t bother to tell the FAA the MCAS “authority” was 4x that which had been revealed.
Boeing deserves whatever punishment is meted out and let’s hope it’s substantial with C-level execs serving hard time. Meantime the FAA needs to come to the realization that being a cheerleader for the industry is a distant second to aircraft safety.
Part of the blame lies with the major airlines as well. They have pushed cost control to the point that they didn’t want difference training to be more than a couple hours coursework on a tablet.
Certainly fleet commonality is of value. But, for example with SWA, they knew there were differences, hence they had to retire the last 733 to begin flying the Max.
But as long as the bean counters at both Boeing and the big airline customers demand it, kludges like MCAS cannot be ruled out. The focus on safety as the bottom line must be returned.
And next comes the 777X. I hope the FAA gets properly funded and takes away the self certification from Boeing before that monster gets into service.
You are quite correct Mr. Cox. This is not simple.
But while I agree with what you have written here about the complexities of aviation accident investigations and about both the similarities and differences of these two incidents in question, for me the real reason this is not simple is, sadly, politics and business.
Boeing and the FAA are taken a public relations beating at the moment for their insistence that they have done everything correctly on the 787 MAX8, while a great majority of others do not see things the same way.
I understand the point you are trying to make with this post. We should all not be jumping to conclusions at this stage of the investigation for both of these incidents. it is a valid point.
Here is the rub, both Boeing and the FAA have been insisting from day 1 that they have done everything correct, that the MCAS is not (really) part of the problem, that the initial design, evaluation and certification of the 737-MAX8 was done correctly. All of this before any real information had really come out.
But in the same breath, both are working on a new version of the MCAS software, which, according to them, was actually was working quite fine, thank you very much.
Perhaps people are jumping to conclusions. The problem is that we are all seeing Boeing and the FAA doing it as well. And they seem to be wanting it both ways. On one side we have, trust us, we already know everything is all right even before the investigation has really gotten going, but please don’t jump to conclusions until the investigation is completed. On the other hand, we have, even though the investigation is far from over, and we believe there are no problems with the aircraft, we have already come up with the solution to allow it t fly again.
Indeed, this is not simple and neither are the people reading this.
Deep lack of self criticism, an unchallenged believe in “Our robust aviation safety system” and strong national Boeing/FAA/Congress cooperation let to the current MAX drama.
The Lionair crash was handled by a totally different system than “our robust aviation safety system”. Perception Management, paying off, hiding behind ongoing investigations, out communicating, reputation power play, pilot error, satisfying the home public. Another third world crash. Reading back, published before 2nd crash, repulsive.
The Chinese and EASA pulled the break on the MAX. Totally justified as we know now. The FAA / Boeing were the last to do so, kicking & screaming. Totally unjustified as we know now, a real system failure.
Boeing / FAA have to convince foreign authorities to clear the MAX now. Nobody is interested if Boeing, the FAA or congress likes that. Times have changed.
It would be simple if Boeing accepted the need for hardware changes, recognising that software changes alone are not enough. Afterall they did increase the size of the stabiliser for the 737 NG. Why not do it again for the 737 MAX? At the same time give manual trim an electric motor.
Yes, I know Boeing should have given the 737 a new undercarriage and mounted the engines properly with a pylon. Moreover they should have built a new NSA!
If you give manual trim and electric motor its no longer an independent backup.
This is not a FBW aircraft, so the backup has to be separate and work.
I don’t know what the answer is, but it has to be withing the design of the aircraft which is 40 years old.
The answer may be to ground the entire 737 fleet and declare it junk.
A separate electric motor that is independent of the automatic electric motors that are used by the FCC. Doesn’t need to be FBW. The manual trim cable can just pull/push a lever on the electric motor.
You miss the point, the electric motor would also have to be separate electrical system (possibly battery backup)_
How that could work vs the redundancy acquirement of the certification’s of a 40 year old aircraft that was all manual is not something that has been done.
You have to assume its not easy if its not been, its not like this is a new issue, it goes back to the 707 and 727 as well, so its really a 50 year old design.
You can’t just willy nilly it here and there (MCAS is a stark example of doing that)
Major additions have to be put in withing an existing structure and those system are tightly packed.
With bad software you can clip, insert, add routines to correct.
Aircraft are not so easy. Maintaining the redundancy is not so easy.
To retrofit would be a nightmare.
So ground all of em?
Boeing’s design solution shows all the properties of a booby trap.
Stealthy, insidious and ( for the top layer visible objective ) well below state of the art solutions.
Going over the information available one could tag this as an intentional booby trap ( it is well known that corporate culture in the US has a thing for weaponizing “anything” ) or as greed gone majorly overboard.
it is neither bad luck or an unintentional oversight. ( Rumsfeld : unknown, unknowns )
Thus, Mr Cox the apple is thoroughly rotten.
Hmm… No one is saying it was simple. But the root cause was the ill-designed MCAS. Single erroneous input (one AoA sensor) was used to activate MCAS without cross-checking other inputs to make sure that stall was indeed imminent. Blindsiding the pilots by not publicizing the presence and characteristics of MCAS made Lion Air pilots look through QRH frantically to find a solution to a problem, the root cause of which they did not recognize and hence could not solve. As for the Ethiopian crash, which you do not go into, the pilots did recognize the activation of MCAS, but were unable to move the stab manually because of the huge aerodynamic forces. These things should not happen, whatever the complexity of the incident. Engineers are supposed to design fail-safe systems, not ones that confuse the pilots and take control away from them. It is that simple!
Agreed, engineering wise it is that simple.
For the pilots, the opposite was true. Total bedlam on the flight deck as false information after false information was fed to the pilots by a FCC in total meltdown. Boeing also need to do something about the FCC
There needs to be some very clear aspects here.
The FCC did not supply false information, the AOA did, the FCC is as dumb as rocks, it only can output what its fed.
Further, only the FCC on the Pilots side was picking up the issue.
Flip to the other pilot and he at least not longer has stall and alarms (MCAS 1.0 continues its evilness)
FCC is not the issue.
You can argue the 737 is the issue and should be grounded and willing to take the world wide impact to the transportation system.
Mr. Cox gives one of the best evaluations of this situation I have seen so far.
The poor design of MCAS, the poor communication about the system, and the lack of coordination in the whole process are things that are more easily addressed — though not simple.
The most important item in Mr. Cox’s article is this — “pilots must train to fly manually when automated systems become inoperative . . .”
In some areas of the world, the pilots are well trained. Unfortunately, in others they are not — and it pains this CFI of 36 years to say that. I believe it was one of the congressional hearings where someone said something along the lines of the airplane needs to built to the lowest common denominator.
I disagree with this thinking.
The pilots need to be trained not to a minimum but to a full level of competence with the airplane. I don’t believe that training is being accomplished everywhere. That needs to change. The 777 accident at SFO is a prime example of where training is/was insufficient.
I am NOT placing sole blame on the pilots in these accidents. As Mr. Cox says, it’s not that simple. What I am saying is that training plays a role in every accident and improvements need to be made to bring us to a world-wide standard that does its’ best to insure safety, not simply meet a minimum.
Training is essential.
But your argument ( and that of Mr. Cox ) throws away progress to the tune of 50 years.)
Accident rates have come down because those flying machines are no longer fickle monstrosities that kill naive users on a single small error. The MAX turns the wheels back to 1955 with a stealthy, unexplained fault reaction. Back when it was due to insufficient understanding/handling of faults. Today it is the premeditated omissions by Boeing that depress the statistics.
It is extremely arrogant to shove this away via “lack of training”.
If it was lack of training the US “best of the best of the best” pilots should have shown instances of MCAS unexpected run away activation _that were handled masterfully reflecting the perfect training state of those pilots._ ( no examples available 🙂
Explanation is much simpler and does not need to denigrate those “ThirdWorlders”:
due to distribution of the delivered MAX frames foreign airlines just had a 4fold higher chance of hitting this design fault.
( My guess : by flight cycles this rate might be even higher due to earlier deliveries abroad )
I totally agree that it was not that simple, few accidents are.
While the press focuses on the MCAS system one can only hope that the pilot’s actions and inactions are not lost. In both the mentioned accidents the initial problem was a stick shaker (plus Airspeed and Altimeter Disagree annunciations on the Captain’s PFD). If each crew had isolated that “abnormal” and dealt with it the MCAS system would never have come into play.
There is a huge reluctance on the part of crews to “take over manually” and stabilize the aircraft. Had these crews simply climbed to a safe maneuvering altitude while maintaining their T/O flap configuration and leveled off the could have “created time” to safely diagnose the problem and determine the best course of action.
One issue that cannot be overlooked is that both crews allowed the aircraft to accelerate to Vmo. One crew never reduced power from T/O thrust! This increase in airspeed, as noted in the article, caused the stabilizer to become very powerful and may have made it impossible to manually trim the aircraft.
So it appears we have design errors, maintenance errors, crew errors and training errors. There are many reason an AOA might produce faulty information. Crews must be training on the existence of all systems on the aircraft, how to recognize faults and then how to deal with various scenarios, including flying the aircraft back for an approach and landing using manual trim.
No one, simple solution. It appears Boeing will address the redundancy issue by comparing output from both AOAs but will the regulatory agencies and airlines spend the required funds to train their pilots?
Just regarding the issue of ET302 pilots keeping T/O thrust, they were climbing out from a hot, and high airport.
Once MCAS kicked in with AND, and they had ‘Don’t sink’ warnings in the cockpit, you’re stuck with a catch 22, which do you prioritise, getting the nose up, or keep your speed below 250 knots.
Mr Cox, please correct me if I am wrong, if you are already nose down, backing off the throttle will increase nose down angle will it not ?
I’ve seen quite a bit of discussion, that even in the NG, if you increase throttle, you get an ANU moment. I’d really like a totally objective 737 driver’s view, taking into account airport, air temperature, aircraft height AGL when things started to go wrong, when MCAS kicked in etc.
John Fox is right, there is still something very fishy about the Lion 610 (and its preceding flights)
They did try to fix the AOA, they failed.
There was also a false speed input into at least 610.
As the AOA has two channels to two seperate computers, why did not the 610 Miant work fix it, do we have a bad spare AOA?
Did they damage the Pitot system when they worked on it.
And why was it not caught on tests and checks?
Ethiopian may have been a bird striker making it as noted more straight forward that triggered a bad system (MCAS 1.0) into its lethal action .
If you fix the hardware and problems persist you have good indications towards a software bug. ( Here the analog AoA signal processing to digital for feeding to MCAS and other data sinks.)
Afaics Boeing is trying to hide that issue. ( Similar to 787 batteries burning where the original enclosure and cell design promoted problems but the core cause was overcharging that B never confessed up to.
At issue is the fact that Peter Lemen confimred that the AOA has two sepeae channels.
In laymen s term, there are two seperate wiping resisters on the same shaft.
Each one has its own wiring.
Eahc one of those wired circuits goes to a different computer.
Both computers reported identical rusults.
So, its an unknown, but clearly by logic, it was not a software bug.
This reminds of THY Flight 981 were the rear cargo door blow out due to faulty door latches, March 3, 1974. An interim fix of the locking lever was made so it could not be closed unless the door was correctly latched. Even though Plane 29 was in possession of McDonnell – Douglas at the time, before delivery to THY, the fix was never installed. The FAA and McDonnell – Douglas decided this fix could be installed on a time available basis.
The FAA appears to be in bed with Boeing on the 737 Max – 8. The number of poor design decisions made and not caught is astounding. From the aircraft its self to the simulators not being correct.
Will we every learn!
NO, Trump is trying to tear up the Maconda protections now as well.
Its just a game to them.
John, well written and to the point. Both accidents are in the investigation phase, so let us not draw to bastant conclusions at this stage, an open mind is important, in particular when we now look at what it is to learn from the accidents.
It is a bit strange that the Lion Air accident pilots did not learn from the previous flight. But it is (more) strange that the Ethiopian Airlines pilots failed to detect the reason for the nose down command, after all the publicity following the LA accident.
The LA preliminary report shows that the two AOA sensors had different values before the takeoff roll. But the stick-shaker function doesn’t work until activated by the Weight-on- Wheels switch, i.e. at rotation. Perhaps (at least) a prewarning could be implemented?! On the EA flight, one of the AOA sensors went off scale at rotation. Today inputs from analogue sensors can be closely monitored and deactivated when ‘strange’ readings occur (suchs as going off scale in one scan). Let me illustrate this with an example. Modern gyro compasses get lattitude information from the GPS, – their reading will vary with lattitude. I saw a system whereby the lattitude changed to equator upon loss of GPS signal. To move 60 degrees lattitude in one scan/second is impossible. So we made a ‘common sense’ filter.
Voting several sensors would help, but we have had accidents and incidents where two-out-of-three sensors froze in the same position. So it is perhaps safer with voting, but it is safe enough? What about the quality of sensors; one ‘super’ sensor may be as good as three in a voting configuration.
Another question is how much the pilots need to know about what’s go on in the background. Some pilots may listen to the stab-wheel and couple the spinning to the expected speed trim system’s actions, and perhaps have noticed the irregularities with the MCAS runaway early enough to avoid the accident.
So, hopefully the aviation industry will raise to an even higher level of safety in the years to come.
Unfornatly this gets complex quickly, slam dunk answers per others are not easyt.
LA Not Learning: That acualy makes sense as it was written up wrong. As the pilots on the two previous flights did not know what the issue was, they wrote up what they thought it was. And in both cases the aircraft should have been grounded until tested.
Also keep in mind that with AOA disagree and lockout of MCAS, that will not occur. The freeze up can only take place at altitude. There is not a third one to disagree with so nothign would happen. Its a manual control 40+ year old design approach not an FBW desing so there is a whole different set of rule involved in redundancy. FBW hs 3 of everything, 737s has two (though it has a third Pitot static system)
I do work with limit on inputs and yes you can have a UNREL and the system quits using that. Why this was not done I don’t know and I don’t know if its allowed in a primary flight system (mechanical system will do that)
MCAS 2.0 also limits authority (how far its allowed to move the Stabilizer) as well as you have to repeat a stall to get ti to activate again.
Background noise wise with stick shaker and stall alarms on the single AOA its iffy if they could hear the wheel turning.
And adding to the criminal nature, the newer Sims were not programed to reflect what happens with the Trim Wheel at high speeds (can’t move it)
As a simulator is certified to be exact to the Aircraft, removing a feature is criminal.
And for EA that was what killed them, not knowing the manual trim issue with all the other lethality of MCAS 1.0
TW, thanks for comments.
You (!) should know what happened to Trans World flight 843, I think it was, at JFK back in 1992. Then one faulty AOA sensor was the root cause for an accident.
I seem to remember the following from the NTSB report: when the stick-shaker goes off at rotation, you are still a good step from stall. When the primary flight instruments and what you can see and feel looks okay, the most probable cause is a faulty AOA on the side of the Shake. So continue takeoff and sort out the problem.
The LA pilots soon after the MCAS ‘took off”, lowered the flaps for a short period, with no nose-down commands. Unfortunately, the did not connect the flaps position with the ‘Hstab’ runaway.
Being an instrument and control engineer (with a keen interest in aviation), I easily see the consequence of a faulty sensor (in this case), and the possible consequence. I am not a professional pilot, and cannot, as such, judge the logic/common sense, behind BA’s statements that the pilots should detect and treat an MCAS runaway as a Hstab runaway. The software changes no implemented looks good, and seems to represent common Sense. What puzzles me is: why wasn’t it included in the original design. It would not have altered any of the design premises for the ‘fly like an NG’.
The Qantas flight 72 (2008) was packed with redundancy, and so was AF447. The first became a very serious incident, the latter a fatal accident.
As i often state: In technology nothing is 100% (safe)
Finally, where I live people and ‘things’ may freeze up at sea level for six months of the year.
Svein: You are welcome.
One that is worth reading about is a BA 747-400 that took off from Johannesburg South Africa some years back.
The key item was that there is a cowl thrust reverse switch that triggers slats up to prevent debris injection on landing. Slats down for landing but as soon as the thrust reverse kicks in (moves) they go up. All fine.
There is some cross information, but one or two of those would do that.
What happens on takeoff when you have your slats down and desperately need them (Jo Berg is 7000 feet) and they retract?
Yep, it happened. The Cowl moved a bit, the switch said it was deployed, up came the slats. The pilots limped it along , got them deployed again and landed but it was on the ragged edge of coming down (full fuel and large pax load right over Jo Berg)
Now why any one in their right mind would not see you should cross select an input input into the system NOT to allow that on takeoff. Insane logic.
You would think Boeing would know better. Sheer stupidity.
The result was they decide it was not such a big deal and disabled the system.
As a control guy you know how nutty the options can get.
Sanity is coming up with the logical choices and assessment. It really does not matter if its flight critical or not, why would you do that Boeing did?
Do you need your Fan System to launch a rocket if the freeze stat triggers? Nah. Can you do it? Sure.
One of the shames of LA 610 was that they did put the flaps back down and it stopped. As a pilot I would say, thank you, leave em down, land it and figure out what was going on.
But it appears that Lion Air pushes its pilots to keep going (two flight prior as well) regardless.
It is even more complicated that you suggest, since you maintain your belief in the overall system. As a surviving relative, I do not. All must be questioned.
But, getting back to details, in addition to the single AoA input, Boeing named “other system inputs” to MCAS. Flaps up/down is one, as all are aware. Mach was another, but I do not know the mathematical function underlying that input. Clearly MCAS should have been turned off by the high airspeed since loss of control is predictable under some loss of elevator authority at high speed when MCAS activation occurred. The point is that MCAS itself is not simple. It had multiple design errors and maybe even some mistakes (e.g., multiple activations).
I hope that you consider root causes, the failure of Boeing to heed the Allied pilots advice in November and the POTENTIAL for accidents that Boeing-FAA put out there (i.e., consider the scenario where both sets of flight crews had saved their particular planes).
Boeing’s new ’797′ could be built to fly with just one pilot on board – https://www.cnbc.com/2019/05/20/boeings-new-797-could-be-built-to-fly-with-just-one-pilot-on-board.html
But that’s ok, “A second pilot would be ground based and be able to “monitor several aircraft” at the same time.”
Two pilots in the cockpit, and a third monitoring from the ground, yes that would be helpful, but only one pilot in the aircraft, and one on the ground monitoring how many other aircraft ? No that is just about money !
Imagine pilot on the ground, “gear up, … no wait sorry you’re landing, I meant the other guy who has just rotated”.
Or maybe pilot in the cockpit is incapacitated, that’s ok the guy on the ground will land the airplane, … no it seems there’s a problem with the software / connection. Captain Cracker may land the plane or he may circle over a large city until the airline hands over a large sum of money.
I do hope that headline is just clickbait.
JakDak, I read the CNBC story; interesting, but nothing new. The story said ‘cockpit built for one pilot’, but I guess it will be built for two, – for training and flights that are ‘a bit challenging’.
I remember when the 737 was new, and was designed for two in the cockpit, the US pilot unions said NO, it,s to dangerous. Today Global Hawks fly around the world, on missions from the military or as a Hurricane Hunter; no one in the cockpit!
Today the limit is nine pax for single pilot operations. I believe we will not go from here to the NMA in one step. Older C130 Hercules had four in the cockpit, now they have two (+ the loadmaster). Perhaps, in the future, the co-pilot and chief purser will be merged. After all, during take-off and landing, the critical phases of a flight, the chief purser rests in his seat, and at level flight the pilots ‘rest’ in theirs. Perhaps, well designed and tested aircraft systems, may raise the ‘lowest common dominator’ in the cockpit. And that is what (at least some in) Congress has suggested.
I understand technology moves on, but there should be sensible limits.
Basing MCAS on input from only one AOA sensor was clearly a mistake, now they’re going back to two.
“well designed and tested aircraft systems” like MCAS 1.0 ?
Or a fully automated aircraft would not have had any issues!
We are caught in between and thro9ugh in some god awful design issues (and far form the first time for many but having watched this industry for 60 years, its far from the fist, just software not hardware)
You will note it says tested on cargo first (NMA-F?) its all wild speculation.
It may have architecture that will allow that but it will have two pilots.
And $64 questions, has having two pilots saved how many aircraft?
Certainly not the last two and LA had a clue when he put the flaps down it stopped and then pulled them up again but never put them back down.
Used to be a Commercial that said, This Hurts.
The FIX: Don’t do that.
It is a somewhat irrational world. A rational world being where honest transparent explanations are financially rewarded. When I see a 500 billion class action suit against college cheating, one has to wonder what figure would be thrown at Boeing if they admitted complete fault? Do they avoid claiming entire responsibility and take the financial hit of a longer grounding, or own it, fly sooner, but take some astronomical court damage by doing so?
MCAS 1.0 was a mistake entirely by Boeing. But that mistake could have been corrected sooner than the final FAA grounding, if the system of safety checks and balances had worked. It failed at with the lack of a review agency catching it to begin with, the pilots not diverting and communicating the problem, maintenance, the airlines, Boeing not grounding the aircraft after the first crash, the FAA not grounding the aircraft after the first crash. Across the board a complete breakdown of seriously addressing a severe unknown apparent problem.
Very important point missing- main question is, wiht all the flaws in design and instructions, how could that system be developed like this and certified.
Boeing already was close with the B787 battery issues, didn’t they learn a thing from this at Boeing and FAA?
For this design, Boeing officals should be in jail, it was at least manslaughter.
Either they took it in account – or even worse, they really didn’t realize how dangerous this system could be.
That pilot on the jump seat @ lion air made the heck of a job out there, as he realized as the only one out of 5 pilots they have a trim issue.
I see the complexity, but the basic is the design of the system, which is against principles in modern aircraft design and certification.
As long as this isn’t fixed, you can not set a foot in a new Boeing product.
The actually failed 3 times in a row now – they didn’t learn from B787, they didn’t learn after Lion air crashing, and they didn’t act after Ethopian.
They did, when the Chinese grounded their faulty piece of….
but I’m not going, if it’s a Boeing.
The MCAS system was initially classified as a non-critical system, allowing it to evade FAA scrutiny. This was possible because the initial design only made a small correction. However, later the correction was increased, and MCAS should have been reclassified as a critical system, which Boeing failed to do.
Yes, and the classification was dead wrong. 346 dead, to be more precise.
This brings me to my point: Didn’t Boeing realize, while testing etc. what kind of system MCAS is?
It sounds so lame but in fact is a system that changes important metrics flight controls.
Did they realize?
How can a software like this pass quality management, development processes, simulation, testing, certification wihtout anybody noticing what saftey flaw they did build in?
Even after Lion Air crashed, and MCAS was identified as an issue, did Boeing know what’s going on?
I even don’t know what’s worse – Boeing willingly went for this risk or Boeing didn’t realize.
if I were the authorities, I would have raided Everette to figure out what Boeing did and what they knew.
The classification came from Boeing itself – how could they – and FAA let this go through?
Boeing is lucky, if it would have been an US Airline that had crashed, Boeing would be done.
“The classification came from Boeing itself – how could they – and FAA let this go through?”
Because of deregulation, airplane companies now certify their own planes.
The problems with Boeing seem to have started after the absorption of Lockheed-Martin. Boeing used to have a rule that managers from the military part of the company were never transferred to the civilian part. That is not true anymore. Perhaps there was an expectation that the good practices of the civilian side would disinfect the military side but the reverse seems to have happened.
thx Edward, I didn’t know that one.
So far it seems to me, Boeing has lost the ability to design, develop and build safe modern civil aircrafts.
The B787 battery incidents was already close, the B737max tops it.
Apparently, Boeing’s post-crash MCAS fix is going to be a software update. They are not even going to use a second Angle of Attack sensor. Shouldn’t MCAS be reclassified as a critical system, and wouldn’t that require a second sensor?
Okay, I have learned I got this wrong; the revised MCAS will use 2 sensors.
The failure to ground the fleet after Lion Air, all the while they were feverishly working to fix MCAS before another plane crashed…that is IMHO clearly criminal negligence. They KNEW there were serious flaws, all the did was say hurry up while they gambled with other peoples lives.
Focussing on the flight stability problem and it’s solution is a diversion itself. A welcome diversion.
On a blog I read, Naked Capitalism, one commenter, “737 Pilot”, claims that activating the yoke trim control on the 737 MAX deactivates MCAS; a pilot could then fly indefinitely in spite of an MCAS error, albeit in a jerky fashion, with MCAS periodically, briefly, pitching the nose down and the pilot making a correction. The press seems to be misreporting this fact, giving the impression that MCAS cannot be overridden.
There is also a question of whether MCAS is even necessary. This system was introduced to make the 737 MAX fly like older 737 models, so 737 pilots would not need new training to fly the new plane. However, if 737 pilots were given new training would MCAS even be needed?
If the pitch up builds up progressively at high AOA’s, things can get unstable pretty violently around stall speed, you don’t want to leave that in the hands of a human..
Sorry, humans handle stalls just fine, been there, done that 100 times.
You have to see if the counter trim exceeds the MCAS trim and how far down it pushes it each time.
MCAS kicks back in after (5 seconds?) but I don’t know if Trim stops it
But as noted, trying to trim, it kicks in, trim again all while you have stall alarms and stick shaker is getting into task saturation even for two pilots.
TW, isn’t the point to forget the stick-shaker, it was obviously wrong, and instead focus on the pitch control? On the LA flight prior to the accident one, the pilots ‘flew away’ for more than an hour, in manual mode with the left stick-shaker going.
Or is it so that pilots react differently to the stick-shakers, ranging from calm (scanning the instrument and looking out – AOA must be wrong) to more ‘panic like behavior’ (we stall – crab the yoke and push it forward)?
This is what “737 Pilot” wrote at Naked Capitalism:
As soon as a pilot puts in any amount of trim with his yoke switch, MCAS stops right there – it does not keep going. The pilot can then take out any trim that MCAS put in. After 5 seconds of no input, MCAS will try again, but again, the pilot can stop MCAS in its tracks – none of this letting the trim run for 10 continuous seconds. (BTW, this functional description refers to the original software, not the replacement)
MCAS can trim much faster then the electric trim ( i think 5 or 10x) though, so unless the pilot knows whats going on he’s fighting a losing battle.
The electric trim shuts off MCAS, according to “737 Pilot”.
That MCAS move the Hstab five to ten times faster sounds strange. We talk about the same electric source and drive motor, and to me it sounds strange that the MCAS shall be superior to pilot action.
Edward is correct, the pilots can override MCAS using the yoke switches or the cutout function. As long as the yoke switches are in use, MCAS is off, and will be so for five seconds after the yoke switch is released.
So Mark from Toronto, where did you get the informations? The different system have limits on how far you can drive the Hstab. Typically, the autpilot has a (much) smaller range than the yoke switches
No turning off auto trim shuts of MCAS AND electric trim. The ET pilots were triming up with electric trim and then MCAS kicked in and with its greater authority, it dived the plane it the ground.
Mark from Toronto, if you look at the DFDR data from the Lion Air preliminary report, you will see that the quite many (20+) events where the MCAS commanded AND, and the pilot followed up with a yoke switch ANU. The aircraft followed an ‘up and down’ (light) roller coaster. The horizontal length of the line indicates for how long the command was activated. Most of the MCAS activations were shorter than the maximum 10 seconds. They did probably not know what to do next; like the pilots on the previous flight.
The preliminary report following the EA accident indicates the same.
But instead of me explaining, look at the site SATCOM.GURU. There you find a very detailed walkthrough. If you after reading Peter’s story still stick to your present position, let us know.
I was mistaken in saying it was 5x but it is faster. Here is the article I got that info from:
Hi Mark from Toronto, another day, and a possibility for more insight for all of us. Exchanging views and thoughts will hopefully bring us all to a ‘higher level’. I am only interested in the technical part with side view to human resources; in some ways the spirit of IACO, Appendix 13.
I have read the Flightglobal story you referred to, and looked into the various aspects of the Hstab operation. You are correct in saying that the Hstab moves faster from MCAS commands than from yoke switch commands with flaps up (0.27 vs 0.18 = 1.5 times faster). The Hstab speed with flaps down is faster than with flaps up. The possible movement ranges varies as well with system mode.
But the assumption that MCAS will activate for ten seconds, be off for five, and the ‘take off’ again, and in a way override the pilot, is wrong. The yoke switch will cancel the MCAS command, and activate the ‘pilot’s choice.
The FAA emergency AD following the Lion Air accident, advice two possibilities to arrest the MCAS activations; (1) set cutoff switches to off and use manual operation of Hstab, or (2) use yoke switch to arrest MCAS and bring the aircraft to level position, then set cutoff switches to off and continue manually.
Another thing about the FAA ADs; I find them, from an ‘easy to catch the point, and understand the instructions’, poorly written.
I have read some NASA Human Resources group documents. Automation watching human (operations) works much better than humans watching automation, is one of their observations. Are the pilots becoming more (and more) operators pushing buttons, and their flying skills fading out? Is more simulator training an answer?
When I lived in Japan, I was impressed how often they practiced their ‘golf swing’; they did it waiting for the ‘green man’ at street crossings, at train station, and at every opportunity they had. Perhaps an idea for pilot training, we are just an APP away. Will we ever see a person acting a bit strange at the bus stop, and wonder what’s going on; until someone comes up and tell us ‘it’s nothing strange, it’s a pilot practicing, and to me, who is a pilot as well, it looks like the subject is Hstab runaway’.
When you look at that AD you are relying on a very acute level of situation awareness. Use trim swich to neutralize MCAS, plane is in slight climb, you don’t want to go too steep as stick shaker is warning of stall and you have no reliable airspeed. 5 seconds later MCAS kicks in… by the time you realize what is happening you are in a steep dive to the ground and you can only counter at 75% of the rate MCAS put you there. Game over.
I agree to the statement that this part of the MCAS functionality is unclear. My understanding from what I read, is that using the yoke stab switch(nose up command) when the MCAS is in nose down command the following happens: (1) the nose down command is stopped and (2) a nose up command is initiated. Then (3), will the nose up be active as long as the yoke switch is engaged? And (4), will the MCAS be reset five seconds after the yoke switch is released?
And is it any command time limit on the use of the yoke switches, i.e. will the command be stopped after a given time?
This seems like a logical function, to me. The pilots also have the possibility to grab and hold the trim wheel. I know this is hindsight engineering, but more information related to the above four items is highly appreciated.
“question of whether MCAS is even necessary. This system was introduced to make the 737 MAX fly like older 737 models”
That is clearly a statement to protect the MAX and to cover the fundamentally flawed stability. The heavy new engines move the center of gravity forward, which means you need more downforce from the stabilizer most of the time, so the center of lift is further aft. On climb the large nacelles create a lot of lift, moving the center of lift fast forward. We don’t know how far, but possibly even beyond the COG. At higher angle of attack we must assume that the wing also loses some lift, as its center section is now behind the nacelle. I assume it increases the nose up tendency even further.
In combination with high thrust, higher altitude airports and/or full load, this nose up tendency might be hard or even impossible to handle, especially if you ad some gusts and/or less experienced hands on deck.
Of course this is still speculative, but for the the only reasonable explanation why Boeing installed this infamous MCAS and hid it as well as they could. And as they were basically writing their own certificate, no authority had to be informed about this “illegal” design and “illegal” patch.
So no, a special training will not suffice. A fix to the fix will not work either (MCAS 2 was allready pulled in March). A second AOA sensor will not cut it. The MAX need new hardware. Maybe a larger stabilizer will do, but maybe it would actually need a larger landing gear and new pylons too. And a new cert.
Gundolf, you are for sure right about one thing; what you say is all speculative.
When Boeing had the MAX design ready, it would require pilot simulator training, mainly because of the slightly different ‘flying characteristics’. The ‘big customers’ saw the pilot ‘upgrade requirents’ (in particular simulator training) as a something they didn’t prefer. Then Boeing made some software that made flying the MAX similar to flying the NG. They called the new software functionality MCAS.
When companies like Boeing make new types, and variants of a type, they take of course into consideration all variables, like new engines, wing location on the fuselage, weights like fuel, cargo, onboard equipment and services, and passengers. And they ensure that CG stays within acceptable limits.
The inclusion of the MCAS was in many ways an okay thing. But in hindsight we have learned that (1) Boeing would have been (much!) better off if they have had a detailed description of the MCAS functionality in the manuals, (2) they were wrong in assuming that pilots would handle a MCAS runaway as a Hstab runaway. It may be be some sense in assuming that, since it should be part of ‘basic handling skills’. So, (3) Boeing should have come (much!!) more on the offensive following the Lion Air accident, with very detailed information about the MCAS and how to handle consequences of AOA failures. So, (4) I guess Boeing now see that the AOA side of MCAS should have been more robust/fault tolerant.
Instead of assuming, let’s try to find the answers to your guesses – the answers are out their, at many places, I would guess.
Svein, sorry but I have to disagree on the key question:
“When companies like Boeing make new types, and variants of a type, they take OF COURSE into consideration all variables, like new engines, wing location on the fuselage, weights like fuel, cargo, onboard equipment and services, and passengers. And they ensure that CG stays within acceptable limits.”
To me it appears that they have severed exactly that golden rule! Boeing panicked over loosing key customers when the NEO was launched. Instead of sitting back, taking the blow and launching a proper new single-aisle, they pulled the MAX design out of the garbage and fixed it.
The key issue is not the COG, but the changing center of lift. I would love to see a graph that shows how the COL of the MAX changes with the AOA.
Hi, did you read Bjorn’s story back in November 2018? It was on November 14, you find it in the archive (if link – at the bottom- doesn’t work). Interesting with 261 comment! In the November archive you will also find Bjorn’s ‘lectures’ on interesting subjects like, pitch stability. In the meantime, I will search for the MAX’s OPS manual. I guess you read the Flightglobal stuff TW referred to. Is one of the challenges that airlines prefer ‘commonality’, – mainly to save on pilot training.
Reminds me, when I worked in the Far East, I asked (on more than one occasion),what’s that? The answer was (almost) always, same, same, – but different. As we can say about the MAX compared to the NG
A possible fix could be to locate the engines under the wings as with earlier 737’s and then use longer landing gear which can shorten to fit into the 737 MAX. This might require new training for pilots to practice landing with this new configuration, which Boeing wants to avoid, but at this point such training is probably inevitable. I am told such landing gear is used with the Airbus 330:
“Airbus A330s shorten the main landing gear length through a linkage mechanism for retraction. If I remember correctly it gives 10 to 12 inches extension of the MLG shock absorber cartridge in the MLG housing .”
I should add that it is not obvious that you want the engines under the wings; this could actually increase the torque, since the lever arm perpendicular to the engine force should increase. The problem could have to do with the location of the center of mass, or with the increase in torque due to the increase in engine force.
Several papers are reporting that Boeing shares have risen on reports that the Ethiopian crash was caused by a bird strike.
Wall street has no idea what this about.
We agree 100% on that.
It does not matter what caused the AOA failure (how often yes) but the MCAS kicking in was the killer.
After Lion Air the checklist updates the Pilots were given were IMHO completely WRONG. They did not account for the inability to manual trim above a certain speed (that speed still seems to be a mystery to everyone) the CORRECT path IMHO would be slow AC to Max Flaps speed, engage flaps 1. Use electric trim to trim plane, Disable auto trim, land plane ASAP.
The fact that MCAS failure would rear its ugly head at climbout at a high power setting and its nose down command would lead to rapid increase in air speed was grossly overlooked IMHO. Checklist was wrong clearly as ET 302 followed it and it did not work
Exactly. The point being, the flaps were the switch to shut of “runaway” speed trim (poor terminology which needs to be fixed), since there were no switches to do it.
The question should be asked, before the MAX is ungrounded, shouldn’t they make a switch to shut off speed trim and mach trim if the crew recognizes a malfuction (ne’e runaway), so that the trim switch can still be used to trim the aircraft with a motor that is working fine.
A flap position switch in the cockpit would have done that.
As the Sims were wrong on the Manual wheel ops, and the crew missed the speed control aspect (I am not blaming them but it was missed)
For it to be survivable the crew would have had to been perfect and when things don’t do what you know they should, confusion sets i.
I have not seen any information on just how much the pitch up on power is. Could someone tell me? All aircraft, that I know of, pitch up on power increase.
Its not the pitch up on power, its the pitch up on stall.
What aviator called accelerated stall (power) or not, its really not relevant as power is not being applied typically. Its there or its not.
Upshot is that more pitch up take place at stall with the MAX.
Its been deemed excessive (not how much, it just breaks over the line) and FAA then mandated a fix. Boeing did but screwed it up.
The reality is you don’t stall commercial aircraft (extremely rare). When it occurs its as a result of disorientation (they are screwed regardless and stall is just an incidental aspect ) or AF447, the crew does something nuts (full nose up) in response to another issue (speeds going low in their case).
What is ignored is that the stick shaker is active and telling you the AOA thinks its a stall (pilot flying side only) and you have alarms staying stall.
So how you mange to get a full stall and the added up pitch of the new engine location is worse is beyond me. Its been addressed with stick shaker and alarms already so what more is needed? If you can ignore that MCAS kicks in.
There are other areas they ignore (stabilize lock up) and hydraulics blow down that can’t overcome because there is no fix
So its a case of in this case we can do something (not should) and in that case we can’t so you are screwed. Wield logic (illogical)
The design process for automatic systems as what to do if there is a fault needs to greatly improved.
This is good with some more details worth reading
“The unanswerable question … is whether the FAA would have felt able to certificate the 737 Max with the knowledge of this increased stalling risk…”
Well, probably not.
And it looks like they will be looking at the Manual Trim as well.
And much better details
Boeing’s November 6 Bulletin and nearly the same FAA Airworthiness Directive, November 7, killed ET302. This is easy.
At 05:40:50 the captain said he would like to maintain 14000 ft. The FDR data shows they gained altitude since then. That’s not bad, even if the indicated altitude was wrong, they were far above 10000 ft.
Not bad. They used manual stabilizer trim with the STAB TRIM CUTOUT switches moved to CUTOUT. At 05:43:04 the captain said that pitch is not enough. 7 seconds later the FDR recorded 2 momentary manual electric trim inputs in the ANU direction. The stabilizer moved from 2.1 to 2.3 units.
This is what the Bulletin mentioned. Electric stabilizer trim can be used to neutralize control column pitch forces before moving the STAB TRIM CUTOUT switches to CUTOUT. Boeing did NOT mention how much time is available to use manual electric trim, how fast the STAB TRIM CUTOUT switches need to be moved to CUTOUT. The stabilizer moved only 0.2 units ANU, the control column pitch forces were not neutralized yet. At 05:43:20 another automatic AND command moved the stabilizer from 2.3 to 1.0 units. The END
Boeing adviced them in the wrong direction. Not instructing that CUTOUT needs to be switched directly after using manual electric trim is what killed ET302. Obviously using electric trim needs simulator training. Without electric trim ET302 could have reached the airport.
What is missing is that the NG and prior have the same problem re use of hand crank trim wheel use IF not corrected to near proper trim PRIOR to cutout. Made worse by a smaller trim wheel on the MAX. The roller coaster method use below several thousand feet altitude is a loser, and nothing said about the negative G effects of a sharp MCAS nose down at at any reasonable speed. Whether by standby electric ‘ drill motor ‘ attached to trim wheel, or some sort of emergency gearing arrangement to trim wheel or ?? does not seem to be in any discussion/correction- possibly because of the huge number of 737-xxx planes currently in use. Interesting that for decades, the only method of really using the trim wheel in full manual use was to ‘ start’ with near correct trim and at relatively low speed and no mention in manuals or really proper training.